Skip to main content
United States flag An official website of the United States government
Show

NCUA’s Regulations and Guidance

Banner image saying "Regulation"

NCUA 12 CFR Section 748.0: Security Program (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

Each federally insured credit union will;

  • Develop a written security program within 90 days of the effective date of insurance.
  • Designed to protect each credit union office from robberies, burglaries, larcenies, and embezzlement;
  • Ensure the security and confidentiality of member records,
  • Protect against the anticipated threats or hazards to the security or integrity of such records, and
  • Protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member;
  • Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member;
  • Assist in the identification of persons who commit or attempt such actions and crimes,
  • Prevent destruction of vital records as defined in 12 CFR Part 749, and
  • Dispose of any consumer information the Federal credit union maintains or otherwise possesses

Cybersecurity

Letters to Credit Unions

Risk Alerts

    Third Parties

    Letters to Credit Unions

      NCUA 12 CFR Part 748: Oversee Service Provider Arrangements (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      Credit union officials are responsible for planning, directing, and controlling the credit union’s affairs. To fulfill these duties, the officials should require a due diligence review prior to entering into any arrangement with a third party.   Each credit union should:

      • Exercise appropriate due diligence in selecting its service providers;
      • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and
      • Where indicated by the credit union's risk assessment, monitor its service providers to confirm that they have satisfied their obligations

      Business Continuity

      Letters to Credit Unions

      Risk Alerts

      NCUA 12 CFR Part 749 – Records Preservation Program (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      • All credit unions must have a written program that includes plans for safeguarding records and reconstructing vital records.

      Federal Financial Institutions Examination Council (FFIEC) Guidance

      September 2022 Cybersecurity Resource Guide for Financial Institutions (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      FFIEC IT Examination Handbook InfoBase (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.

      FFIEC InfoBase Booklets (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      Audit (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Business Continuity Management (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Development and Acquisition (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Information Security (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Management (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Architecture, Infrastructure, and Operations (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Outsourcing Technology Services (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Retail Payment Systems (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Supervision of Technology Service Providers (TSP) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
      Wholesale Payment Systems (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

      Reports to Congress

      Cybersecurity and Credit Union System Resilience - June 27, 2022

      Cybersecurity and Credit Union System Resilience - June 30, 2021

      Last modified on
      01/12/23